Archive for May, 2010
Panty-RAID1 -4- CentOS
So I am working on an older system today, CentOS 4.4 – 2.6.18-93.cc4 to be quite specific and I needed to add a RAID1 mirror to the existing filesystem because for whatever reason, when this server was built, it was all built under / ? Well just goes to show you, don’t do that, especially if you are locally storing IMAP emails! Anyway, this should be a good tutorial on how to do this should you encounter a similar situation.
I made a remote backup of the /home and /var fs just in case… 🙂 incidentally, those are what we are working on here.
First, (LOL) shutdown the system and install the new hard disks…
If you are super-duper lucky (like me) upon restart, your hardware will see the new disks just installed, validate that this is also true for you…
dmesg|grep hd (grep for whatever your /dev designation is for hd's) ide0: BM-DMA at 0xf800-0xf807, BIOS settings: hda:DMA, hdb:pio ide1: BM-DMA at 0xf808-0xf80f, BIOS settings: hdc:DMA, hdd:DMA hda: WDC WD800BB-00JHC0, ATA DISK drive hdc: WDC WD3200AAJB-00J3A0, ATA DISK drive <-- New drive hdd: WDC WD3200AAJB-00J3A0, ATA DISK drive <-- New drive
Cool I see my 2 new 320GB disks… 🙂
On to fdisk… I am only going to show the one disk as they are both identical for my task and the process is the same no matter what you are doing with your disks.
fdisk /dev/hdc
The number of cylinders for this disk is set to 38913. There is nothing wrong with that, but this is larger than 1024, and could in certain setups cause problems with: 1) software that runs at boot time (e.g., old versions of LILO) 2) booting and partitioning software from other OSs (e.g., DOS FDISK, OS/2 FDISK)
Command (m for help): p
Disk /dev/hdc: 320.0 GB, 320072933376 bytes 255 heads, 63 sectors/track, 38913 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System /dev/hdc1 1 19456 156280288+ fd Linux raid autodetect /dev/hdc2 19457 38913 156288352+ fd Linux raid autodetect
So this is the finished, written fdisk-ing. I am going to assume you can figure this part out on your own and say that from the menu, select “n” for “add a new partition” make it primary, and for my task I needed 2 equal sized partitions so I did that as illustrated above giving me 2 147GB partitions to use:
Device Boot Start End Blocks Id System /dev/hdc1 1 19456 156280288+ fd Linux raid autodetect /dev/hdc2 19457 38913 156288352+ fd Linux raid autodetect
Device Boot Start End Blocks Id System /dev/hdd1 1 19456 156280288+ fd Linux raid autodetect /dev/hdd2 19457 38913 156288352+ fd Linux raid autodetect
A word of advice here… see the ID? make sure to set it to “fd” or your array will not come back when you reboot… The fd is the linux auto-detect RAID identifier…
Now create the arrays:
mdadm --create /dev/md0 --chunk=64 --level=raid1 --raid-devices=2 /dev/hdc1 /dev/hdd1 mdadm --create /dev/md1 --chunk=64 --level=raid1 --raid-devices=2 /dev/hdc2 /dev/hdd2
Make the file systems:
mkfs.ext3 /dev/md0 mkfs.ext3 /dev/md1
Check the array(s);
cat /proc/mdstat Personalities : [raid1] md1 : active raid1 hdd2[1] hdc2[0] 156288256 blocks [2/2] [UU]
md0 : active raid1 hdd1[1] hdc1[0] 156280192 blocks [2/2] [UU] [=====>...............] resync = 26.7% (41758400/156280192) finish=56.8min speed=33562K/sec
*NOTE – the resync process in-process may take a bit of time to complete…
Make the temp mount points:
mkdir home1 var1
Now this part is purely subjective, but I like to do it this way, you can do it however you like.
Edit /etc/fstab adding your new filesystems:
LABEL=/ / ext3 defaults 1 1 LABEL=/boot /boot ext3 defaults 1 2 /dev/md0 /var ext3 defaults 1 1 /dev/md1 /home ext3 defaults 1 1 none /dev/pts devpts gid=5,mode=620 0 0 none /dev/shm tmpfs defaults 0 0 none /proc proc defaults 0 0 none /sys sysfs defaults 0 0 LABEL=SWAP-hda2 swap swap defaults 0 0
Now mount them:
mount -a
df -h Filesystem Size Used Avail Use% Mounted on /dev/hda3 72G 60G 8.4G 88% / /dev/hda1 194M 12M 173M 7% /boot /dev/md0 147G 31G 109G 22% /var1 /dev/md1 147G 11G 130G 8% /home none 982M 0 982M 0% /dev/shm
There is also another file to ensure that you have, /etc/mdadm.conf, and it should look like this:
cat /etc/mdadm.conf ARRAY /dev/md1 level=raid1 num-devices=2 UUID=75a8bc67:d6c5a49f:9f889373:47899702 devices=/dev/hdc2,/dev/hdd2 ARRAY /dev/md0 level=raid1 num-devices=2 UUID=f4aa0764:0cb7aa5f:6d175968:58c838dd devices=/dev/hdc1,/dev/hdd1
There is a neat trick to get this info…
mdadm --examine --scan >> /etc/mdadm.conf
Done !
I would suggest rebooting to ensure that everything comes back as expected…
SUN-Jail – Solaris 10 convicted ! Part II Dammit… I forgot to lock the door !
OK… so hopefully you already went through Part I, but if not, this may not make much sense as I am not going to re-visit anything here. This is for the mod_tls setup for ftps or ftpes if you are using filezilla… I was not familiar with the ftpes connection state, but now I am and so are you… I was using fireFTP and everything was working fine, but in the interest of testing more than what I use, I found this new tidbit of information 🙂
So lets first tweak the proftpd.conf file, add this to the bottom of the file:
<IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol SSLv23 TLSOptions NoCertRequest TLSRSACertificateFile /etc/proftpd/ssl/proftpd.cert.pem TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key.pem TLSVerifyClient off TLSRequired off </IfModule>Take note of the files referenced here. Go ahead and create the log dir, def do this as you will need it if anything is not working… and then we can move on to making the key/cert. Keep in mind that I am using webmin for the proftpd control and it allows you to apply changes following a save eliminating the need for a manual restart of proftpd 🙂
Make this dir, please make this or the key/cert command will whine like a bitty baby…
mkdir -p /etc/proftpd/ssl
Then make the key/cert:
openssl req -new -x509 -days 365 -nodes -out /etc/proftp /ssl/proftpd.cert.pem -keyout /etc/proftpd/ssl/proftpd.key.pem
Make sure to answer all the posed questions:
Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE"). State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name. Locality Name (eg, city) []: <-- Enter your City. Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name of your company). Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT Department"). Common Name (eg, YOUR name) []: <-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com"). Email Address []: <-- Enter your Email Address.And again now we are done. Not too bad… right? I set up a few test users to allow me to tail the log file and watch as they login to make sure I can see what is expected as well as what isn’t…
May 25 15:35:08 mod_tls/2.2.1[2020]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable) May 25 15:35:08 mod_tls/2.2.1[2020]: TLS/TLS-C requested, starting TLS handshake May 25 15:35:09 mod_tls/2.2.1[2020]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits) May 25 15:35:10 mod_tls/2.2.1[2020]: Protection set to Private May 25 15:35:26 mod_tls/2.2.1[2021]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable) May 25 15:35:26 mod_tls/2.2.1[2021]: TLS/TLS-C requested, starting TLS handshake May 25 15:35:27 mod_tls/2.2.1[2021]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES128-SHA (128 bits) May 25 15:35:27 mod_tls/2.2.1[2021]: Protection set to Private May 25 15:35:51 mod_tls/2.2.1[2022]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable) May 25 15:35:52 mod_tls/2.2.1[2022]: TLS/TLS-C requested, starting TLS handshake May 25 15:35:52 mod_tls/2.2.1[2022]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits) May 25 15:36:33 mod_tls/2.2.1[2023]: using default OpenSSL verification locations (see $SSL_CERT_DIR environment variable) May 25 15:36:33 mod_tls/2.2.1[2023]: TLS/TLS-C requested, starting TLS handshake May 25 15:36:33 mod_tls/2.2.1[2023]: TLSv1/SSLv3 connection accepted, using cipher DHE-RSA-AES256-SHA (256 bits)
SUN-Jail – Solaris 10 convicted ! Part I
OK… so a while back I did something about jails for FTP… Odd that I don’t even remember what it was for let-alone being to lazy to go back and look to make proper reference here.. but anyway, I have a successful and simple approach to doing this on Solaris 10 and seeing that I get ALOT of hits for my Solaris posts, this may in fact be another good destination. I went back to my tried and true buddy, webmin for this, with as little effort as possible. I decided to use the ProFTPd module that comes (icon anyway) included with webmin for Solaris (which by the by, is also a default package on Sol 10) and packages from the sunfreeware site. So lets get started with the required packages and some basic system tweaks you may or may not need:
I started out making a repo dir under /export/home as it is a large one on these systems:
mkdir /export/home/sunfreeware
cd /export/home/sunfreeware
For whatever reason, the default $PATH for Solaris 10 is as bare as it comes, leaving out lots of cool, already installed tools, like wget for example. I created a .profile and added this PATH:
PATH=/usr/bin:/usr/sbin:/usr/local/bin:/usr/sfw/bin:/usr/local/sbin
This covers everything I found useful without absolutes (and without actually knowing where the f’ it is !!!)…
Here is a listing of what I needed: (You may or may not need all of these)
gcc-3.4.6-sol10-x86-local.gz
make-3.81-sol10-x86-local.gz
openssl-1.0.0-sol10-x86-local.gz
proftpd-1.3.2-sol10-x86-local.gz
rssh-2.3.2-sol10-x86-local.gz
So lets quickly grab these…
cd /export/home/sunfreeware (in case you were not there already 🙂 )
for i in gcc-3.4.6-sol10-x86-local.gz make-3.81-sol10-x86-local.gz openssl-1.0.0-sol10-x86-local.gz proftpd-1.3.2-sol10-x86-local.gz rssh-2.3.2-sol10-x86-local.gz; do wget ftp://ftp.sunfreeware.com/pub/freeware/intel/10/$i; done
Then gunzip them:
for i in `ls`; do gunzip $i; done
The pkgadd them:
for i in `ls`; do pkgadd -d $i; done (You will need to answer at least the creation of the /usr/local/bin dir if it is not already there and the default ‘ALL’ question for each recursion)
Before you get yourself all in a tizzy… lets stop the defalt FTP service:
svcadm disable network/ftp
OK… now lets install webmin:
webminsetup (see how handy our PATH has been so far… 🙂 )
Answer the questions however you like… and wallah… Done 🙂
Now we need to make a few tweaks to the ProFTPd settings:
So you may have to click on this pic to see the line to which I am referring but in any event you want to uncomment this line so that ALL users are jailed to their defined home dir… and let me tell you that this is as easy as that process gets. There is one other designation we need to make to ensure this takes place but it is in fact a radio button, so nothing overly complex there. I also made the usual permissions changes on the user dirs to ensure the most security possible and a few other changes… well lets look at that step one by one shall we…
OK, so as you can see (from the wget up above) I grabbed rssh, a restricted shell. Weather or not any of this is actually necessary is highly speculative, but I will at least illustrate what I did.
/usr/local/etc/rssh.conf
allowsftp <– This is all I wanted to allow
# If you want to chroot users, use this to set the directory where the root of
# the chroot jail will be located.
#
# if you DO NOT want to chroot users, LEAVE THIS COMMENTED OUT.
chrootpath = /export/home/chroot <– Make this whatever you are jailing your users to
You will also need to make an entry in /etc/shells (and create it if it is not there):
/usr/local/bin/rssh
ftptest:x:104:100:FTP Test User:/export/home/chroot/ftptest:/usr/local/bin/rssh
# id ftptest
uid=104(ftptest) gid=100(ftptest)
drwx—— 2 ftptest ftptest 512 May 20 15:17 ftptest
From the main module screen simply select the “Files and Directories” option to open the module. I should mention that we are already in the ProFTPd module at this point so if you are not there, simply click on the “Servers” link in the top left and then select “ProFTPD Server” and you will be at this very page. Take note of where things are in Webmin as surely you will want to go back and make lots of additional amendments to whatever else you have running on the system.
All we are looking at here is making sure that you restrict the user to their home directory. This may be kind of obvious, but make sure you START the service as well… It can be done from any module. Up in the right corner you will see a “Start ProFTPd Service” button… click it. I would also run a few commands from the console just to see what you have going on as well maybe you just should have some understanding outside of a graphical environment of what is really taking place here. So lets run some simple commands shall we???
# ps -ef |grep ftp
ftptest2 4951 4430 0 10:38:45 ? 0:00 /usr/local/sbin/proftpd
nobody 4430 1 0 10:20:35 ? 0:00 /usr/local/sbin/proftpd
root 5193 4197 0 12:43:10 pts/2 0:00 grep ftp
Make sure you don’t see anything other than the proftpd service running… (remember we stopped the default ftp service earlier right??? )
# /usr/local/sbin/proftpd -vv
– mod_tls/2.2.1: compiled using OpenSSL version ‘OpenSSL 0.9.8k 25 Mar 2009’ headers, but linked to OpenSSL version ‘OpenSSL 0.9.8n 24 Mar 2010’ library
ProFTPD Version: 1.3.2 (stable)
Scoreboard Version: 01040002
Built: Wed May 13 16:36:46 EDT 2009
Loaded modules:
mod_tls/2.2.1
mod_md5fs.c
mod_readme.c
mod_auth_pam/1.1
mod_ident/1.0
mod_facts/0.1
mod_delay/0.6
mod_site.c
mod_log.c
mod_ls.c
mod_auth.c
mod_auth_file/0.8.3
mod_auth_unix.c
mod_xfer.c
mod_core.c
And that’s it 🙂 Go and test it to ensure you have achieved the expected results:
This is exactly what I was expecting. Make sure you cannot move out of this dir and you are all set… 🙂
So this is all fine and dandy, but who wants to use regular FTP? I would hope no one in a business environment anyway… Part II deals with using the mod_tls module packaged with proftpd. For whatever reason, it was actually a pretty big pain in the a$$ to get this whole thing working…
A Technological Farce 